How to detect the modular RAT CSHARP-STREAMER

Summary

The malware known as CSHARP-STREAMER is a Remote Access Trojan (RAT) developed in .NET. It has been deployed in numerous attacks over the past few years. Reports have mentioned its deployment during attacks orchestrated by REvil. However, during our casework we were able to observe the threat actor behind the ransomware Metaencryptor using CSHARP-STREAMER. Based on our visibility we assume, that Metaencryptor shows a special interest in IT service providers.

Key Takeaways

  • HiSolutions successfully identified distinctive patterns within the CSHARP-STREAMER malware, aiding in the identification of specific malware samples.
  • We confirmed the modular structure of CSHARP-STREAMER. This customization could be driven by their business model, which might involve payment for specific features, or as a strategy to minimize the chances of detection and analysis.
  • The usage of the RAT has massively increased in Q3 2023.
  • HiSolutions is able to share extra detection rules to support the detection of components of the deployment kit.

Prevalence and Initial Analysis

Our investigation into the CSHARP-STREAMER malware was triggered by a ransomware incident that also included the deployment of “Metaencryptor” ransomware. Throughout the forensic examination, HiSolutions identified a Powershell loader responsible for loading, decrypting, and executing the RAT. There is public documentation linking CSHARP-STREAMER with other campaigns beyond Metaencryptor.

  • Fortgale attributes the usage to REvil
  • Arista mentions usage in Operation White Stork
  • GDATA ADAN provided a public report, even though in their case, no further malware was deployed.
  • The DFIR-Report identified the RAT during an deployment of ALPHV-Ransomware.

The identified Powershell loader itself, especially the AMSI-Memory-Bypass and the XOR-decryption component, consists of publicly available proof-of-concepts, shared by several security researchers. The AMSI-Memory-Bypass is a perfect copy of a script posted on Github in August 2022. The security researcher “GetRektBoy724” originally published the XOR-decryption part in 2021.

As mentioned above, GDATA ADAN had already published a report regarding the CSHARP-STREAMER toolchain, also mentioning the re-use of code, available in the public domain. The feature-set of the CSHARP-STREAMER malware in our case differs from the sample GDATA ADAN was able to analyze. “Their” sample came with a MegaUpload client and with ICMP for C2-Communication, whereas the sample analyzed by us came without a MegaUpload client and without ICMP for C2-Communication.

We can confirm the usage of the RAT’s TCP relay functionality. Using this feature, the threat actors were able to move from one network to another more carefully protected network.

The usage of the TCP function leaves some traces, providing opportunities for forensic investigation: This leads to visible traces in Windows Eventlogs in the form of EventID 2004 and the creation of a distinct firewall rule by "C:\\Windows\System32\netsh.exe": "Inbound TCP Port 6667". This behaviour (creation of firewall rule via netsh) is already covered by a publicly available SIGMA-rule, written by Michel de Crevoisier. The threat actors used the feature not on a large scale, but only in situations, where they had to close a gap between different parts of the affected organizations network.

In total, we were able to identify the following modules in the sample initially identified by us:

  • ADUtils
  • ExecuteAssembly
  • Filetree
  • HttpServer
  • Keylogger
  • LineParser
  • PsExec
  • Relay
  • RunAs
  • Sendfile
  • Sget
  • SmbLogin
  • Wget
  • Spawn

During the attack, Metaencryptor immediately used the Relay-Feature on specific machines and enumerated the users of the domain with Windows Powershell scripts instead of using CSHARP-STREAMER’s comprehensive toolset. The reconstructed process-tree confirmed that the attacker used the RAT mainly for running a diverse set of Powershell scripts.


Evolution of Malware

The fact, that our sample differed from the one GDATA ADAN analyzed, led us the the assumption, that CSHARP-STREAMER is modularized and assemblied for a specific use case. The reasoning behind that is unclear, but two explanations come to mind: CSHARP-STREAMER might be a malware-as-a-service, where customers have to pay per feature. Another possible explanation is, that the malware authors wanted to reduce the possibility of analysis and detection, by reducing the detection and analysis possibilities. We were not able to rule out either of the options. Since we wanted to gain a more complete overview of the overall capability of CSHARP-STREAMER we tried to find further samples, to get a more comprehensive overview.

To our knowledge, first in the wild samples of the malware surfaced in the second half of 2020. From our point of view, these are propably early development version of CSHARP-STREAMER. Some of these samples contain pdb-paths. The „csharp_streamer.Relay“-Library differs codewise from the main „csharp_streamer“-Library by incorporating Chinese strings. While earlier samples from 2019 contain a PDB-Path and are declared as Version 1.0.0.0, actual samples contain ascending Version-Numbers (2.10.8515.16637 – 2.10.8700.7258).

The analysis of samples shows that there are two main different configurations of CSHARP-STREAMER used in the wild, one with the MegaUpload-Client and one without. While we couldn’t identify samples from the year 2022, we are confident that CSHARP-STREAMER was also in active use during this timeperiod.

The observed uptick of the RATs usage in August 2023 also marks the beginning of Metaencryptor‘s publishing of victims (12 in August, 1 in September, 2 in November, 1 in December) and LostTrusts trove of 53 victims in August.

As mentioned by Fortgale the RAT has also been used in 2021 by REvil/GoldSouthfield and by an unknown Threat-Actor in Summer 2022 accordingly to Arista. While we can see an overlap in TTPs with Arista‘s report in our case (similar staging-directories and tooling) we are not confident in attributing both attacks to the same threat actor. The switch in TTPs in the incident handled by us suggests the work of an inital access-broker which gave MetaEncryptor access to the environment. The compilation timestamp of GData‘s samples also correlates with the occurence of new C2-Infrastructure in early 2023. In combination with the utilization of the RAT by multiple actors and in at least three (Mega, Mega + ICMP, Basic) different configurations, we expect that the malware is provided as a service to ransomware groups. The recent publishing of “The DFIR-Report” identifies the RAT during an attack of ALPHV.


Detection and Response

Early development-samples contain the PDB-path „D:\Devel\csharp-streamer\csharp-streamer\obj\Release\csharp-streamer.pdb“. Additionally, the malware contains some specific strings with typos, like „ListRalays“ which can aid in detection.

Thus, we can provide a Yara-Rule, helping with the identification of known samples. Please note, that in cases known to us, the sample was loaded only in memory, not on disk.

Additionally detection mechanisms involve:

  • PowershellScriptBlock-Logging
  • The creation of firewall-rules by netsh.exe
  • Multiple static strings which can be found in memory
  • The use of CSHARP-STREAMER‘s user agentwebsocket-sharp/1.0
  • Specific Web-Requests (see headers below)

TTP and Detection Rules

The following rules are shared as TLP:CLEAR.

Yara Rule

rule CSHARP_STREAMER {
   meta:
      description = "Detects decrypted csharp_streamer"
      author = "HiSolutions AG"
      reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer"
      sharing = "TLP:CLEAR"
      date = "2023-12-18"
      score = 100
   strings:
              $y1 = "csharp_streamer.Properties"
              $y2 = "csharp_streamer.Utils"
              $y3 = "csharp_streamer.ms17_10"
              $y4 = "csharp-streamer"
              $z1 = "iphlpapi.dll" ascii wide
              $z2 = "\\<title\\b[^>]*\\>\\s*(?<Title>[\\s\\S]*?)\\</title\\>" ascii wide
              $z3 = "MagicConstants.kSessionTerminate = ByteString.CopyFrom" ascii wide
              $z4 = "StartRalay"
              $d1 = "csharp-streamer.pdb"
   condition:
              uint16(0) == 0x5a4d and (3 of ($y*) or all of ($z*) or $d1)
}

SIGMA Rule

title: Potential csharp_streamer Powershell-Loader
id: 77bdea07-634c-49ad-96d3-03736882b914
status: test
description: Detects Powershell-Loader as seen with csharp_streamer.
references:
    - none
author: HiSolutions AG
date: 2023/12/18
tags:
    - tlp.white
    - attack.t1562.001
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    ps_script:
        EventID: 4104
        Channel:
            - Microsoft-Windows-PowerShell/Operational
            - PowerShellCore/Operational
    selection:
        ScriptBlockText|contains:
            - '[WinApi]::VirtualProtect($funcAddr, [uint32]$patch.Length, 0x40, [ref] $out)'
            - '$wc = New-Object System.Net.WebClient; $wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy();'
            - '$string = xor "$rawData" "decrypt" "'
            - 'if($metInfo.GetParameters().Length -eq 0) # If Assembly - VB, update params'
            - '-UseBasicParsing -UserAgent "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 (.NET CLR 3.5.30729)" ).Content'
            - '$amsiDll = [WinApi]::LoadLibrary("ams"+"i.dll")'
            - '$funcAddr = [WinApi]::GetProcAddress($amsiDll, "Ams"+"iScanB"+"uffer")'
    condition: ps_script and selection
falsepositives:
    - Unknown
level: high
ruletype: Sigma

Malware related MITRE ATT&CK Techniques

IDTechniqueUsage
T1016System Network Configuration DiscoveryThe malware enumerates the network configuration of infected hosts.
T1018Remote System DiscoveryThe malware queries LDAP to discover additional systems.
T1021.002Remote Services: SMB/Windows Admin SharesThe malware uses an PsExec-implementation to support lateral movement.
T1046Network Service DiscoveryThe malware implements port-scanning-capabilities and contains descriptions for multiple ports.
T1056.001Input Capture: KeyloggingThe malware offers keylogging functionality
T1083File and Directory DiscoveryThe malware can create filetrees on infected systems. It also contains an extensivedictionary of strings to classify found files (e.g. network architecture, finance, passwords).
T1090.001Proxy: Internal ProxyThe malware has dedicated port-relaying capabilities
T1095Non-Application Layer ProtocolThe malware supports C2-communication via ICMP.
T1110.001Brute Force: Password GuessingThe malware has an integrated function that supports bruteforcing credentials for smb-access.
T1113Screen CaptureThe malware can capture screenshots.
T1134.001Access Token Manipulation: Token Impersonation/TheftThe malware supports token impersonation.
T1134.002Access Token Manipulation: Create Process with TokenThe malware offers the ability to launch processes in different contexts.
T1562.001Impair Defenses: Disable or Modify ToolsThe malware patches the in-memory amsi.dll before executiong PowerShell-Commands
T1567Exfiltration Over Web ServiceThe malware allows data exfiltration via https.
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud StorageThe malware allows direct file exfiltration to Mega.io.
T1620Reflective Code LoadingThe malware allows to execute Code from URLs, remote and local files directly in memory.
TTP related to CSHARP-Streamer Malware

Threat Actor (TA) related MITRE ATT&CK Techniques

IDTechniqueUsage
T1018Remote System DiscoveryThe TA queries the AD-Environment for computers via a Powershell-Script using “adsisearcher[1].
T1021.002Remote Service (SMB/Windows Admin Shares)The TA uses „PSExec[2] to execute commands on remote systems via a Powershell-Script.
T1033System Owner / User DiscoveryThe TA queries the AD-Environment and uses LDAP for User-Discovery via a Powershell-Script using „adsisearcher“.
T1046Network Service DiscoveryThe TA queries the AD-Environment for SPNs via a Powershell-Script.
T1082System Information DiscoveryThe TA queries the AD-Environment for the operating system and system version via a Powershell-Script.
T1083File and Directory DiscoveryThe TA lists files in multiple directories and searches actively for KeePass-Configuration-Files.
T1087.001Account Discovery (Local)The TA uses “net user” to enumerate local users on each computer via a Powershell-Script.
T1087.002Account Discovery (Domain)The TA uses “net user” and “adsisearcher” to enumerate domain users on each computer via a Powershell-Script.
T1087.003Account Discovery (Mail)The TA uses “adsisearcher” to enumerate mail users on each computer via a Powershell-Script.
T1217Browser Information DiscoveryThe TA uses NirSoft’s “Browser History View”[3] to view the History of Internet Explorer, Firefox, Chrome and Safari via a Powershell-Script.
T1482Domain Trust DiscoveryThe TA queries the AD-Environment for all trust-relationships via a Powershell-Script.
T1485Data DestructionThe TA uses “format” to format secondary partitions via „PSExec“.
T1486Data Encrypt for ImpactThe TA encrypts virtual machines on the hypervisor-level. Local files are encrypted through the use of ransomware deployed via „PSExec“.
T1497.001Virtualization/Sandbox Evasion (Systemchecks)The TA checks the host environment via the bios serialnumber and manufacturer of the computer via a Powershell-Script.
T1518Software DiscoveryThe TA lists all .lnk files in the Windows\Start Menu Folder and analyzes the Windows\Prefetch Folder for executed and installed Applications via a Powershell-Script.
T1558.003Steal or Forge Kerberos-Tickets (Kerberoasting)The TA uses „PowerView“[4] from the „PowerSploit“-Framework to aquire Tickets and converts them for later usage via a Powershell-Script.
T1569.002System Services (Service Execution)The TA uses „PSExec“ to execute commands on remote systems via a Powershell-Script.
T1614System Location DiscoveryThe TA queries the AD-Environment for department and physical delivery location of computers via a Powershell-Script.
T1619Cloud Storage Object DiscoveryThe TA lists all Files in the main folderpath of „OneDrive“ and „Dropbox“ and their first subdirectory-level via a Powershell-Script.
TTP related to MetaEncryptor threat actor using CSHARP-Streamer